Add verification tests for the "export-cdi" DeriveContext feature

chipsalliance · Jan 27, 2025 · f688192 · f688192
1 parent b39178f
commit f688192
Show file tree

Hide file tree

Showing 8 changed files with 583 additions and 475 deletions.
diff --git a/simulator/src/main.rs b/simulator/src/main.rs
@@ -112,6 +112,10 @@ struct Args {
     /// Supports the RETAIN_PARENT_CONTEXT extension to DeriveContext
     #[arg(long)]
     supports_retain_parent_context: bool,
+
+    /// Supports the CDI_EXPORT extension to DeriveContext
+    #[arg(long)]
+    supports_cdi_export: bool,
 }
 
 struct SimTypes {}
@@ -156,6 +160,7 @@ fn main() -> std::io::Result<()> {
         Support::RETAIN_PARENT_CONTEXT,
         args.supports_retain_parent_context,
     );
+    support.set(Support::CDI_EXPORT, args.supports_cdi_export);
 
     let mut env = DpeEnv::<SimTypes> {
         crypto: <SimTypes as DpeTypes>::Crypto::new(),

diff --git a/verification/client/abi.go b/verification/client/abi.go
@@ -35,6 +35,7 @@ type Support struct {
 	InternalDice        bool
 	IsCA                bool
 	RetainParentContext bool
+	CdiExport           bool
 }
 
 // profileCommandCodes holds command codes for a specific revision of the
@@ -125,6 +126,9 @@ const (
 // ContextHandle is a DPE context handle
 type ContextHandle [16]byte
 
+// ExportedCdi is a handle to an exported CDI
+type ExportedCdi [32]byte
+
 // DestroyCtxCmd is input parameters to DestroyContext
 type DestroyCtxCmd struct {
 	handle ContextHandle
@@ -218,6 +222,8 @@ const (
 	InputAllowCA        DeriveContextFlags = 1 << 26
 	InputAllowX509      DeriveContextFlags = 1 << 25
 	Recursive           DeriveContextFlags = 1 << 24
+	CdiExport           DeriveContextFlags = 1 << 23
+	CreateCertificate   DeriveContextFlags = 1 << 22
 )
 
 // DeriveContextReq is the input request to DeriveContext
@@ -233,16 +239,14 @@ type DeriveContextReq[Digest DigestAlgorithm] struct {
 type DeriveContextResp struct {
 	NewContextHandle    ContextHandle
 	ParentContextHandle ContextHandle
+	ExportedCdi         ExportedCdi
+	CertificateSize     uint32
+	NewCertificate      []byte
 }
 
 // SignFlags is the input flags to Sign
 type SignFlags uint32
 
-// Supported Sign flags
-const (
-	IsSymmetric SignFlags = 1 << 30
-)
-
 // SignReq is the input request to Sign
 type SignReq[Digest DigestAlgorithm] struct {
 	ContextHandle ContextHandle
@@ -512,15 +516,43 @@ func (c *DPEABI[_, _, _]) GetCertificateChainABI() (*GetCertificateChainResp, er
 }
 
 // DeriveContextABI calls DPE DeriveContext command.
-func (c *DPEABI[_, Digest, _]) DeriveContextABI(cmd *DeriveContextReq[Digest]) (*DeriveContextResp, error) {
-	var respStruct DeriveContextResp
+func (c *DPEABI[_, Digest, DPECertificate]) DeriveContextABI(cmd *DeriveContextReq[Digest]) (*DeriveContextResp, error) {
+	// Define an anonymous struct for the response, because the shape changes if exportCdi is set.
+	if cmd.Flags&CdiExport == CdiExport {
+		respStruct := struct {
+			NewContextHandle    [16]byte
+			ParentContextHandle [16]byte
+			ExportedCdi         [32]byte
+			CertificateSize     uint32
+			Certificate         DPECertificate
+		}{}
+		_, err := execCommand(c.transport, c.constants.Codes.DeriveContext, c.Profile, cmd, &respStruct)
+		if err != nil {
+			return nil, err
+		}
 
-	_, err := execCommand(c.transport, c.constants.Codes.DeriveContext, c.Profile, cmd, &respStruct)
-	if err != nil {
-		return nil, err
-	}
+		return &DeriveContextResp{
+			NewContextHandle:    respStruct.NewContextHandle,
+			ParentContextHandle: respStruct.ParentContextHandle,
+			ExportedCdi:         respStruct.ExportedCdi,
+			CertificateSize:     respStruct.CertificateSize,
+			NewCertificate:      respStruct.Certificate.Bytes()[:respStruct.CertificateSize],
+		}, nil
+	} else {
+		respStruct := struct {
+			NewContextHandle    [16]byte
+			ParentContextHandle [16]byte
+		}{}
+		_, err := execCommand(c.transport, c.constants.Codes.DeriveContext, c.Profile, cmd, &respStruct)
+		if err != nil {
+			return nil, err
+		}
 
-	return &respStruct, err
+		return &DeriveContextResp{
+			NewContextHandle:    respStruct.NewContextHandle,
+			ParentContextHandle: respStruct.ParentContextHandle,
+		}, nil
+	}
 }
 
 // RotateContextHandleABI calls DPE RotateContextHandle command.
@@ -733,5 +765,8 @@ func (s *Support) ToFlags() uint32 {
 	if s.RetainParentContext {
 		flags |= (1 << 19)
 	}
+	if s.CdiExport {
+		flags |= (1 << 18)
+	}
 	return flags
 }
diff --git a/verification/sim/transport.go b/verification/sim/transport.go
@@ -82,6 +82,9 @@ func (s *DpeSimulator) PowerOn() error {
 	if s.supports.RetainParentContext {
 		args = append(args, "--supports-retain-parent-context")
 	}
+	if s.supports.CdiExport {
+		args = append(args, "--supports-cdi-export")
+	}
 
 	s.cmd = exec.Command(s.exePath, args...)
 	s.cmd.Stdout = os.Stdout